This invention relates to the use of Hidden Secrets and security token devices to control access to Secure Systems, providing a dual factor method of authentication, but doing so in such a manner that the security token can be used to control access to an unlimited number of Secure Systems, each with a unique login password. The invention also provides a system whereby, at the user's discretion, others may also have access to the locked user account.
Traditionally, access to a computer is controlled by software which requires the user to login using a special password already known to the computer. If the password entered by the user matches the password previously registered with the computer, the user is allowed access to the system. Similarly, by entering the correct password, a user can log into a remote storage server where control software determines which files can be read or updated.
More recently, with the need to improve security, some computers require a user to have a hardware device to assist in the login process. This hardware token is usually a “smart card” or a Universal Serial Bus (USB) device. In either case, the security token has the ability to store information or secrets in such a way that they can only be accessed in accordance with the programming inside of the device. In conventional use, the tokens store passwords or certificates used to log into computers and servers. To log in, a user must enter a PIN (Personal Identification Number) associated with the security token. The security token then unloads the secret user password or certificate, and permits login. This security approach is better than just a password since access to the system requires “something you know”—the PIN, and “something you have”—the security token.
State-of-the-art products thus providing dual factor authentication suffer from deficiencies and limitations that limit the realization of their full potential and effectiveness.                First, if the token uses the same internally stored password to log into a large number of systems, anyone having that password would gain access to the entire system. On the other hand, if every system had a unique password, the token would need to store all of the passwords which would require more internal memory inside the device and still limit the number of systems that could be accessed.        Second, once a system has been secured by a token, if the token is lost or damaged, access to the system is lost along with protected data and information.        Third, current systems do not provide a scheme whereby access protected by a security token device can be managed in such a way that users can be organized into security groups, and each member of a group can share access to computers, servers, or protected facilities.        